ISE - Firepower pxGrid licensing

dan.letkeman · ‎04-18-2017

Hello,

I would like to use ISE as an identity source for Firepower URL filtering and I am wondering if this option is included with the ISE base licenses? I have read on the forums that you might need to have at least one PLUS license to enable this feature? Can anyone confirm that you can use pxGrid without having to upgrade all base licenses on ISE to plus licenses?

Thanks,

Dan.

Karsten Iwen · ‎04-19-2017

You need the same amount of PLUS licenses as you have base licenses. This is from the ordering-guide:

Q: How do I use pxGrid with Plus licenses?
A: pxGrid is used to share context collected by ISE with other products. A Plus license is required to enable pxGrid functionality. There is no session count decrement when context for session is shared. However, since context shared is across the entire number of sessions in ISE, to use pxGrid, the number of Plus sessions licensed must be equal to the number of Base sessions licensed.

dan.letkeman · ‎04-19-2017

This document contradicts that statement.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_0101.html

"A Plus license turns on the pxGrid feature. This feature does not consume licenses."

It also explains that if you buy ISE-PIC and upgrade to BASE ISE licensing you get limited pxGrid features:

"Passive identity services available as part of the upgrade from ISE-PIC to a Base license include limited pxGrid features available to Cisco subscribers only."

I have an email into my SE who is also looking into this. If anyone else has come across this issue of having to pay huge licensing costs just for user information in FMC using ISE as the user source vs using the SFUA which is free to use.

Thanks,

Dan.